Professional Documents
Culture Documents
|
Security
Solutions All Microsoft
Products
Search
Operations & Intelligence
Sign in
Partners
April 23, 2019
Resources
Lessons learned from the Microsoft SOC—Part 2a:
Organizing people
Trust Center
In the second post in our series, we focus on the most valuable resource in the
security operations center (SOC)—our people. This series is designed to share our
approach and experience with operations, so you can use what we learned to
improve your SOC. In Part 1: Organization, we covered the SOC’s organizational
role and mission, culture, and metrics.
The lessons in the series come primarily from Microsoft’s corporate IT security
operation team, one of several specialized teams in the Microsoft Cyber Defense
Operations Center (CDOC). We also include lessons our Detection and Response
Team (DART) have learned helping our customers respond to major incidents.
People are the most valuable asset in the SOC—their experience, skill, insight,
creativity, and resourcefulness are what makes our SOC effective. Our SOC
management team spends a lot of time thinking about how to ensure our people
are set up with what they need to succeed and stay engaged. As we’ve improved
https://www.microsoft.com/security/blog/2019/04/23/lessons-learned-microsoft-soc-part-2-organizing-people/ 1/10
14/04/2020 Lessons learned from the Microsoft SOC—Part 2a: Organizing people
our processes, we’ve been able to decrease the time it takes to ramp people up and
increase employee enjoyment of their jobs.
Today, we cover the first two aspects of how to set up people in the SOC for
success:
Rapidly sorting out the signal (real detections) from the noise (false positives) in the
SOC requires investing in both humans and automation. We strongly believe in the
power of automation and technology to reduce human toil, but ultimately, we’re
dealing with human attack operators and human judgement is critical to the
process.
In our SOC, automation is not about using efficiency to remove humans from the
process—it is about empowering humans. We continuously think about how we
can automate repetitive tasks from the analyst’s job, so they can focus on the
complex problems that people are uniquely able to solve.
We also found that we need to constantly refine the automation because attackers
are creative and persistent, constantly innovating to avoid detections and
preventive controls. When an effective attack method is identified (like phishing),
they exploit it until it stops working. But they also continually innovate new tactics
to evade defenses introduced by the cybersecurity community. Given the profit
https://www.microsoft.com/security/blog/2019/04/23/lessons-learned-microsoft-soc-part-2-organizing-people/ 2/10
14/04/2020 Lessons learned from the Microsoft SOC—Part 2a: Organizing people
When repetitive and boring work is automated, analysts can apply more of their
creative minds and energy to solving the new problems that attackers present to
them and proactively hunting for attackers that got past the first lines of defense.
We’ll discuss areas where we use automation and machine learning in “Part 3:
Technology.”
At Microsoft, we organized our SOC into specialized teams, allowing them to better
develop and apply deep expertise, which supports the overall goals of reducing
time to acknowledge and remediate.
This diagram represents the key SOC functions: threat intelligence, incident
management, and SOC analyst tiers:
https://www.microsoft.com/security/blog/2019/04/23/lessons-learned-microsoft-soc-part-2-organizing-people/ 3/10
14/04/2020 Lessons learned from the Microsoft SOC—Part 2a: Organizing people
hunting operations, and defensive measures for known threats. These strategic
(business) and tactical (technical) intelligence goals are related but distinctly
different from each other. We task different teams for each goal and ensure
processes are in place (such as daily standup meetings) to keep them in close
contact.
SOC analyst tiers—This three-tier model for SOC analysts will probably look
familiar to seasoned SOC professionals, though there are some subtleties in our
model we don’t see widely in the industry.
Our organization uses the term hot path and cold path to describe how we
discover adversaries and optimize processes to handle them.
https://www.microsoft.com/security/blog/2019/04/23/lessons-learned-microsoft-soc-part-2-organizing-people/ 4/10
14/04/2020 Lessons learned from the Microsoft SOC—Part 2a: Organizing people
Tier 1—This team is the primary front line for and focuses on high-speed
remediation over a large volume of incidents. Tier 1 analysts respond to a very
specific set of alert sources and follow prescriptive instructions to investigate,
remediate, and document the incidents. The rule of thumb for alerts that Tier 1
handles is that it can be typically remediated within seconds to minutes. The
incidents will be escalated to Tier 2 if the incident isn’t covered by a documented
Tier 1 procedure or it requires involved/advanced remediation (for example, device
isolation and cleanup).
In addition:
A current initiative for the full-time employee Tier 1 team is to increase the
use of automated investigation and remediation for these incidents. One
goal of this initiative is to grow the skills of our current Tier 1 employees, so
they can shift to proactive work in other security assignments in SOC or
across the company.
Tier 1 (and Tier 2) SOC analysts may stay involved with an escalated incident
until it is remediated. This helps preserve context during and after
transferring ownership of an incident and also accelerates their learning and
skills growth.
https://www.microsoft.com/security/blog/2019/04/23/lessons-learned-microsoft-soc-part-2-organizing-people/ 5/10
14/04/2020 Lessons learned from the Microsoft SOC—Part 2a: Organizing people
The typical ratio of alert volumes is noted in the Tiers and Tools diagram
above. (We’ll share more details in “Part 3: Technology.”)
Tier 2—This team is focused on incidents that require deeper analysis and
remediation. Many Tier 2 incidents have been escalated from Tier 1 analysts, but
Tier 2 also directly monitors alerts for sensitive assets and known attacker
campaigns. These incidents are usually more complex and require an approach that
is still structured, but much more flexible than Tier 1 procedures. Additionally, some
Tier 2 analysts also proactively hunt for adversaries (typically using lower priority
alerts from the same Microsoft Threat Protection tools they use to manage reactive
incidents).
The structure of Tier 3 has changed over time, but has recently gravitated to four
different functions:
https://www.microsoft.com/security/blog/2019/04/23/lessons-learned-microsoft-soc-part-2-organizing-people/ 6/10
14/04/2020 Lessons learned from the Microsoft SOC—Part 2a: Organizing people
Learn more
Stayed tuned for the second segment in “Lessons learned from the Microsoft SOC
—Part 2,” where we’ll cover career paths and readiness programs for people in our
SOC. And finally, we’ll wrap up this series with “Part 3: Technology,” where we’ll
discuss the technology that enables our people to accomplish their mission.
For more discussion on some of these topics, see John and Kristina’s session
(starting at 1:05:48) at Microsoft’s recent Virtual Security Summit.
https://www.microsoft.com/security/blog/2019/04/23/lessons-learned-microsoft-soc-part-2-organizing-people/ 7/10
14/04/2020 Lessons learned from the Microsoft SOC—Part 2a: Organizing people
Lessons learned from the Microsoft SOC Part 2b: Career paths and
readiness
Filed under:
https://www.microsoft.com/security/blog/2019/04/23/lessons-learned-microsoft-soc-part-2-organizing-people/ 8/10
14/04/2020 Lessons learned from the Microsoft SOC—Part 2a: Organizing people
Read more
Microsoft is a leader in
cybersecurity, and we embrace our
responsibility to make the world a
safer place.
LEARN MORE
Surface Pro 7 Microsoft Store Office 365 for Government Developer Privacy at
support schools Network Microsoft
Windows 10 apps Healthcare
https://www.microsoft.com/security/blog/2019/04/23/lessons-learned-microsoft-soc-part-2-organizing-people/ 9/10
14/04/2020 Lessons learned from the Microsoft SOC—Part 2a: Organizing people
Microsoft
Garage
Sitemap Contact Microsoft Privacy & cookies Terms of use Trademarks Safety & eco About our ads
© Microsoft 2020
https://www.microsoft.com/security/blog/2019/04/23/lessons-learned-microsoft-soc-part-2-organizing-people/ 10/10